Discovered in early 2016, Mazar Bot is spread by sending SMS text messages, via a URL shortener service. Mazar Bot targeted multiple banks specifically in the German-Austrian region according to attacks that were encountered in early July 2017.

This malware, seen on Android devices, permits itself to access the following device permissions:

From Spam to Infection

Mazar Bot is used in spam campaigns to gain access to users within a specific region, much like spear phishing.  In many cases, the attack is spread via SMS, fake webpages, or email spam. First the malware tricks the user into clicking the link, and then immediately after, the user will face a login page request designed specifically for mobile devices.

Once the malware has received the needed login information it displays installation info and gives an explanation on how to use and install the upcoming application.

At this stage users can still question why they should be downloading another app. In order to hide from this suspicion, a php file named “apk-playstore.php” provides some assistance.

Mazar Bot explains to the user how to download and use the app.

  1. Prompts the user to press the specific link button
  2. Gives screen shots that walk through the installation...this allows the device to install the application from unknown sources
  3. Runs the application immediately after installation

 

Infection Chain

After the malicious application is installed on the end user device, it asks to activate it as device administrator.  In most cases the malicious application icon would be deleted and Command and Control communication will commence immediately afterwards. The ongoing communication between device and server would pull device information and look for specific targeted applications.  The second stage of communication grants a user infected device with a unique ID for Database maintenance and support of campaign activity. The moment the user would interact with a legitimate bank application, Mazar Bot will cause an overlay and would display another fake page for harvesting more credentials.

Interesting observation:  Mazarbot (in each of the phishing campaigns) has created tailor-made applications designed specifically to attack a designated bank/organization.  For each targeted application, it also creates a specific subdomain, probably for masking and tricking users which were connected to the fake login site.

 

Strings, the C&C connection

The interesting part of the apk contains some specific C&C related strings. These strings give an overview of the malware behavior and abilities that it contained.

The combination of strings highly support the claim that fraudsters behind the malware plan each campaign specifically for a bank application per campaign. The features presented in the string represent device control and communication interception, allowing access into device cached memory, grabbing personal data, sending SMS, locking device, putting device into sleep mode, reporting and logging all Input/output actions, maintenance of this configuration is represented by unique ID, given by the server.

Accepting Credit Cards

Additionally, in the strings section, fraudsters are trying their luck by targeting Google play.

The overlay that will popup to the user in mid interaction with Google play or Whatsapp, will ask for:

  1. Card number
  2. CVC
  3. Expiration Month+Year
  4. Card holder name
  5. Credit card type
  6. Phone number
  7. First, Last Name

Phishing Sites Statistics

Researched by Kyle Paris

According to attacks we've encountered in early July, there wasn't any distinctive region target for hacked servers.  The interesting patterns we did identify were compiled from groups of 8-10 phishing links with every attack.  Each link main domain was slightly different, either by number or a letter, while the subdomain and subfolder remained the same.  Here is a table comparing phishing links groups with their domain name:

Group 1 Group 2

update9091.pw

id78087.pw

 update9092.pw

 id78086.pw

 update9093.pw

 id78080.pw

 update9094.pw

 id78084.pw

 update9095.pw

 id78083.pw

 update9096.pw

 id78088.pw

 update9097.pw

 id78085.pw

 update9098.pw

 id78089.pw